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ACCESS CONTROL LISTS 



In is ;ipplic;i1jon s related o he following co-pending 
U.S. Patent Application: 

U.S. patent application Ser. No. 09/130,89(1 unfilled ler- 
nin ( i in. in \d In ! u 1,1 id \n_ - 19>!\ in I 

FIELD OF THE INVENTION 
The present invention relates generally to computer 
networks, and more specifically, to a method and apparatus 

BACKGROUND OF THE INVENTION 
A computer network typically comprises a plurality of 

interconnected entities thai transmit (i.c source") or ,s Lavci 4. I.avci 5. l.avcr 6. 'i.a ., 

receive (i.e., "sink") data frames. A common type of com- App l iances . Many applications are assigned specific, fixed 
puter network is a local area nrfamk ("I AN ) eelncli , s TCP and/or UDP port numbers in accordance with Request 

typically refers to a privately owned network within a single fuI ( unimeiils (RFC) 1700. For example, TCP/UDP port 

building or campus. LANs employ a data communication number 80 corresponds to the hyper text transport protocol 

protocol (LAN standard!, such as Ethernet. I DDI or Token (HTTP), while port number 21 coircspouds to file transfer 

Ring, ftat defines the tunctions , ,1 I I ^ . ! II protocol (ftp) service. 

protocol tack) si i I packe| m cor re Spond ; n g to the Internet Protocol. Packet 

(OSl) Kelerenee Model. Ill many instances, mtlll.ple LANs [| K I moluelos a proloo.l field 1114. an IPs c address ISA) 

field 106, an IPdcslin i I 1 1 \l field 108 and a data 
field 110. FIG. 2 is a partial block diagram of a Transport 
5 Layer packet 200. P»cket 200 includes a source port field 

202, a destination port field 204 arid a data field 206, among 

* "Ic £ refcrably iDcludcs ne ^™ rk C0 .' m m ^" others - P fcHs 202 and 204 identify the local end points of the 
' " ' and certain predefined or dynami- 



delinii m nlitics inlcracl \viih each other. In particular. Vcess ( milrol Lists 
TCP/IP defines a series of communication layers, including Some networking software, inclui 

a Iransporl layer and a network layer. Al file- ransporl layer. Operating System (IOS« ) from t ise 

Tt I' II' includes both the User Datagram Protocol (UDP), ports the creation of access conliol 'tis 
cinch i 1 i,i i IrinsportprotocoLandTCPwhich as ivpicallv used to proven cerlain Ira 

1 I 1 lr I | I | 1 I Wl | lire 

passes them to the upper layer of the TCP/IP communication topped) Son certah] predefine! 

of the stack where they are encapsulated into packets and l aye r application based on TCP/UDP pt 
1'ramcs Lach layer also adds inlomialion in the: iorni oi ■■ ' . . , 

header to the messages. The frames are then transmitted ov 



touple LANs together and alk 
d to provide a "bridging" function between two or mor 



a frames or packets n , 

lorts that couple the switch to s 




or re-ordered. To modify an existing access control lation engine performs one or more operations on the 

ay systems required the original list to be deleted and specified ACLs (in BDD format) to generate a single, unified 

ist to be created and saved. ACL for the given interface. In order to prioritize the 

] mil ill ii i i inl mediali I i i -pies the possibh conflicting actions output by the ACLs assigned to 
anuria] lis! to its dynamic memory. When a packet is 5 a given network message, the ACL converter preferably 

'ml In i gi i in i ill n i :, utilizes nnc ,ir mure prcde li nud amllicl ivsolul inn lahlcs 

e module of IOSfJT t i la, inst during the merging process. 

Accordingly, at the u I i n .1 list a "deny stationsand or devices .Ills ncluoik device further includes 

all traffic" statement is often added. Thus, if a given packet an additional memory device, such as an associative or 
does not match any of the criteria statements, the packet will 15 co „, e „, addressable memory (CAM), portions of which may 

be discarded. be assigned to each interface. The network device also 
;ludes the novel ACL converter which is in commtinicat- 

en interface, .mly single list iviAalualial per ;„„ Nation with the NVRAM in order to acco* Ills' Atl.s 

direction. For purpo ni i sr the lists are the dynamic memory and also to the CAM. Preferably, the 

relatively hort Ni\. s il II boolean transformation engine converts the single, unified 

software modules can significantly degrade the intermediate ACL from BDD format into a second boolean 

device's performance (e.g., number of packets processed per representation, which, in the preferred embodiment, is a sum 

second). This degradation in performance has been accepted of pro ducts (SOP) format. The single, unified ACL (in SOP 

mainly due to a lack of acceptable alternatives. It is format) is then mapped to that portion of the CAM associ- 

li.j |il I il II ll, i 

1 l 1 1 ( t ' ' ingle, unified ACL defined per interface per 

1 v ' n . ... ,v 1: , ,i. in,, i , .. ] OD anc i stored in a CAM -type memory, the interme- 



whether a given packet should be encrypted and/or whet 
a particular quality of service (QoS) treatment should 



applied. Accordingly, it 



ssages. In particular, upon receipt of a packet at 



A lists may be assigned to a single interface As device tests the packet against the single, unified ACL stored 
! 1 ! ; i i < iding portion of the CAM. When a match is 

»rresponding decision is returned to the 



in pk-Tlunnancc will likely r^ich mi 



onandeyaluatioJofmultipleaccesscontrollistsv, J™^ 6 ^sca™'.' ulg.'nd I '^^,^!ZuZwZ 



This is especially tn 
functionality is being im. 

increase the speed and |H 



jparatus tor optimizing access control lists. ^ ^ above and f^-ther advantages of the 
i a further object of the present invention to provide a better understood by referring to the follow 
,d and apparatus for merging multiple access control conjunction with the accompanying draw 
' FIGS. 1 and 2, previously discussed, a; 



ictofthepr, 



Briefly, the invention relates to a method and apparatus 55 FIGS 5A _ 5E are schemalic repI 

[ 11 11 ""•'< ■ s access control lists- 

I If tS 6-7 9A 91 12 ar 

-rr-'Tv, 1 1" 1 1 11 • . d m P ■ , 

FIG. 8 is a schematic represenld 



hinaiv decision diagram (HDD). The boolean manipulation 
engine then optimizes and merges the ACLs specified " 
given interface of the device. That is, the boolean m 



dE cessing unit (CPU) 406, non-volatile 

PREFERRED EMBODIMENT memory (NVRAM) 408, dynamic memory 

, WM„ ^h™ a „v hi™* Ai,^ of , ° ne ""^n 1 addressable or associative m 



of end stations, such as end stations 306-312,^.^10^ 
such as servers 313 and 314, may be coupled to LANs 302, j 

intermediate network deviec 316 Device: 316 inav also 
provide LANs 302 and 304 with connective to other 
networks, such as the well-known Internet 318. Software 

306-312 and servers 313 anl 314 typi 
with each other by 



to NVRAM 41 



recording to predelinc 1 I I ' I I 416<7-416e, such as ACLs 101, 202, 303, 404 
Control Protocol/Internet Protocol (TCP/IP), the Internet and 505 . and also to dynamic memory 409. Forwarding 
Packet Exchange (11" rotocol ,11! 1 enllt V *** may delude a plurality of conventional sub- 
tle DDI Net protocol or NetBIOS Landed User Interlace J components cnl.gurcd to implement (JoS treat me , its. suet] 
(NetBEUI). "S^a packet/frame^ classifieM20, a^scheduler «2,^a shaper 

i,^^'^^tf^^^% to'ta "network J" '^^^^^W^^ 

layer of the comm, or 1 stacl implemented „, 404 cou P led '° . lhe CPU 406 > TCAM 410 / wh "* 

within the network 300. For exampl, evi •! rel bl ^ ntav be apportioned mto segmenLs 410 fl ^ whereby each 

1 1 C , 'V , P u r !' U 

may also implement ii i rt ir ' n h ru 402,r^ . and memoiy 411. As desenbed below, the forward- 
processing path dekrmin ,1 i. m: and naUi sw itching tunc- ing entity 404 is basically configured to forward or switch 
. , . :,. II..,., i -.1. . , ' | network messages among the various iiiici taccs 402,;- ( ' of 
p | ilu |]avill! , „ S| „ 1K) " I device 316. 

coirrpoiierrts indndin n. tl inn , mis INH s) It should be understood that each TCAM segment 410r7-e 

establishing physical ports and interfaces for exchanging ma y be further apportioned or sub-divided. For example, 

network messages. eacn TCAM segment 410a-e may be apportioned into input 

intendedtaoadly to cove™ny^^^^ 35 Device 316 further includes an access control list (ACL) 

primarily at the internetwork aver, ineliuline., without converter 424. ACL converter 424 is operatively coupled to 

limitation, loulers as delined by Request f„ I ommetus NVRAM 408 lor accessing the text-based ACI.s 4l6</-e. 

(RFC) 1812 from the Internet Engineering Task Force dynamic memory 409 for processing the ACLs 416a-e, and 

(IETF), intermediate devices that are only partially compli- 40 to TCAM 410 and its associated memory 411 for storing 

ant with RFC 1812, intermediate devices that provide addi- modified versions of the ACLs 416«-e, as described be 




with other intermedir 

to broadly cover any intermediate device operating primarily 
at the data link layer, including, without limitation, devises 
that are fully or partially compliant with the ILLL S02. ID 
MAC Bridge standard and intermediate devices that provide 
t i 1 I i 1 1 1 si 1 is \ tual I ocal Area Nelwairk 
(VLAN) support, IEEE 802.10 support and/or IEEE 802.1p 
support, Asynchronous Transfer Mode (ATM) switches, 
Frame Relay switches, etc. 

It should be understood that the network configuration 
300 of IT C i 3 is loi ill is i ti in > - only and that the implemented in hardware through a plurality of 

complex, network topologies. ' circuits and cooperating state machines. Those : 

FIG. 4 is a partial block diagram of the intermediate 60 art ^ recognize that other combinations of : 
network device 316. Device 316 preferably includes a hardware implementations may be utilized. 

to the network 300. That is, tnterl t e 4»2o -K>2 n in are the Catalyst 8500® series of switch routers and/or the 

communication with LANs 302 and 304 and Internet 318. Catalyst® 6000 family of mufti layer switches both from 

Each interface 402o-e, moreover, may be associated with 65 Cisco Systems, Inc. A suitable TCAM 410 for use with the 

one or more physical ports (not shown). Device 316 further present invention is described in co-pending U.S. patent 

includes at least one forwarding entity 404, a central pro- application Ser. No. 09/130,890, filed Aug. 7, 1998, which 



applied to messages matching ACE statements having "per- Accordingly, the term BDD as used herein generally refers 

mit" actions. If the matching action is "deny", then no QoS to a reduced-ordered BDD. 

treatment is applied to the message. The boolean transformation engine 426 then places the 

ACLs to each of the remaining interface! 4026-402e at s block 610. At this point, the BDD representation of ACE 502 

ticular function or tc itn r n nctv, ork admin- tion engine 426 determines whethe'r there is another ACE in 

istrator may assign ACLs 416a-416e to interface 402a, the subject ACL, as 

ACLs 416a, 4166 and 416c to interface 4026, ACLs 416a, transformation engi 

416fc, 416a 1 and 416e to interface 402c and so on. It should to at block 614, and ret 



to which they are assigned. For example, al interface 402b, of the slick containing the BDD representation for ACE 502. 

cnkit ithiNu ,1 I i I \ i ill Mm l u i engine 426 until all of the ACE statements in the subject 

will nub. uli, Loiim,lpiolH,,li\\, I l> I 1 uiie li ,.i ,nj ■ hi, k 612 is uj tin piikcssis, onipk u is mJk ,kd h, 

be dclincd ind ilovwi] u kd I. Hi n i mi I, , \l 1> 502 M4i 1 u tl„ ,,il.,.u.V I ul.A< I 416,, I I, ,Tc 

Translation ol Access Control Lists into Binarv Decision J been translated into 111)11 Kmnal and stacked, rurthcrmorc. 

Diagram Representation the BDD associated with ACE 502 is at the bottom of the 

Once the text-based ACLs have been downloaded to slack and the BDD associated with ACE 514 is at the top of 

device 316, stored at NVRAM 408 and assigned to a Ihe slack. 

optimize them. In sum, ACL converter 424 transforms the 25 than forming a stack, may form one or more other data 

si, n D gum ( HDD ) pusmlil ns II Ml rk i I \( I 1 1 i 424 next proceeds to build a BDD 

424 then mere ill I \\ n I l representation for the entire ACL (e.g., ACL 101) by merg- 

into a single, unified ACL and stores these single, unified ing the BDDs generated for the individual ACEs (e.g., ACEs 

ACI.sinlhe I'CAM 41 0 for subsequent use by Ihe forward- < 502-514). 11(1.7 is., Ilow diagram of ihe sleps performed 

ing entity 404. It should be understood that each ACE by the ACL converter 424 to merge the ACEs of a given 

i i III I ! | 1 

condition, then action" formal. The condilion statement, ably begins al siarl hlock 702. first. Ihe boolean manipula- 

moreover, corresponds to the particular criteria (e.g.. IP lion engine 42S iniliali/es a sclcekd function, I', to zero, as 

SA=2.5.4.x and Source Port=100) and the action corre- 35 indicated at block 704. The function F simply represents a 

P It should be further understood that, to the'extent one or sent the subject AO_'(e.g., ACL 416a) in BDD format As 
1 hi 1 "Or I ,n li| , ,, 42,S 

emain unmodified then "pops" the BDD representation for the ACE statement 

y steps of FIG 6 If, Is- il u n, ul iluui eiiunie 42S then 

ACL converter 424 for converting the individual ACE representation and the current function F, thereby generating 

statements of a given ACL into BDD format. The process a new version of the function F (e.g., F'), as indicated at 

begins at start block 602. First, the ACL converter 424 45 block 70S. Suitable techniques for applying an ITE operator 

retrieves a given text-based ACL, such as ACL 416a, from to two boolean functions (i.e., the BDD representation of the 

NVRAM 408, as indicated at block 604. Next, the ACL ACE statement and the function F) are disclosed in the Logic 
p. 234-237. 

606. The boolean transformation engine 426 of the ACL Next, the boolean manipulation engine 428 preferably 




5 shown by block 710. Dynamic 
v n oj i , Mi, ii, d il 

oe described in detail here. A description of dynamic 

ACL 416a. A suilable process for convening a lexl-based re -ordering as applied to HDDs can he found ill R. Itlklcll 

ACE statement into BDD representation is disclosed in (I. 55 Dynamic Variable Ordering for Ordered Binary Decision 

Ilachlcl and 1 s men / 1 Diagrams fi n the I 1st tuk >l Lkctrctl t ij Llectronics 

Algorithms (Kluwer Academic Publishers 1996) at pp. Engineers (IEEE), which is hereby incorporated by refer- 

225-22d. which is hereby mcorporaled be reference in us ence in its enlirelv. Preferably. Ihe dynamic rc-nrdcring of 

entirety. block 710 takes place as the BDD for the subject ACL is 



generated by the present invention are reduced-ordered determines whelher ilk slack is empty, as 

BDD representations. That is, the BDD representations are 712. if not, the process returns to block 

ordered in the sense that variables appear in the same order representation for the next ACE statem, 

that there are no isom rj hi ul i I i i i ill , ihe current version of t 

be found in the Logic S>/" ! ,,m ,| 1 -211 repeated until each of the BDD represent 
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jellied by the Mill ACI cncryplion) being merged, il accesses lite corresponding 
aclion spccilicd by llic conllicl resolution table 1000 or 1050 (depending on 
none of Ihe intersecting whether the mhcdACLbein 111 I 

lion G, as indicated by s th e identifie/cSiflict. The ACL converter 424 preferably 

onverter 424 can adopt n^^^^d^^fto^^m^lMO or'lO^Mter 

. il can adopt the action mcrgiog me retr ieved BDD-formatted ACL with the func- 

a entirely new J0 ^ G (dlhcr ^ Mock 9U m 91g) (h< , bookan 

exampirYhe mim f u]ni<m engine 428 determines whether another fea- 

conflict could be reported to the network manage'r. In tur = A ? L ^ ^en assigned to interface 402«, as indicated 

ing nl n i lit in i l , 1 ill Hi nil, I I " ' 111 111 1,1 unterMl I nidi itedatbl 1 922 ml 

modifying Ihc corresponding A('l> II i ,c. uklllun 1 alums lo bloc! 90S Boolean manipulation engine 428 

be re started with tli , Ml 1 again retrieves the Mth BDD-formatted ACL for interface 

should not result in any conflicts. In the preferred 402a (e.g., ACL 416c which is associated with encryption), 
embodiment, the ACL converter 424 resolves detected con- as indicated at block 908, and merges it with the boolean 
flicts itself without any input from or modifications by the function G, as indicated described above. This loop is 
jpealed until all of the ACLs assigned to the given interface 
;.g., interface 402ti) have been merged into function G. At 
lis point, there are no additional ACLs to be merged, and 

3d that ACL converter 424 

r, FIG. 10A represents a preferred may utilize other conflict resolution techniques besides 

conflict resolution table 1 for use on the inbound side of tables 1000, 1050. FIG. 11, for example, illustrates a priority 

an interface and FIG. 10B represents a preferred conflict table 1100 that may be utilized by ACL converter 424 to 
resolution table 1050 lor use on the outbound side of an .<- resolve potential conflicts. Priority lable 1100 includes a 
interface. Inbound conlliel resolution lahle 1000 may he plurality of columns, including a feature column 1102, an 
arranged in a lable formal and include a plurality of columns At 'I action column 1104, an executed action column 1106 
each corresponding, lo a possible ACL feature that may be (identifying II | n il forward- 
assigned to a given inbound interface, for example, a first ing entile) anil a pnorilv cell 1 ION. file priority table 

100 further includes a plurality of rows 1110-1120. liach 
ACL, a third row, moreover, corresponds to a particular ACL feature and 

in 1008 corresponds to a NAT ACL. Another column For example, a permit action from a security ACL (t\e., row 



.ess,„^(e L ell I pll I, 1 ..ill. il. I I I IlilUi in illei 1 bl. 1100 t re- 1 e - nlliel, id. nulled 1 leelM.ill hi, el 

1000 I MM. 11.4 , 424 nil HIKi , I 

from the ACLfeatures of columns 1002-1008. & conflicting ACLs. The ACL converter 424 then adopts the 

ccuCmns 1052-1060 II pi hy the security \CL (row P lli2) lV^" and the 

1 1 l ii i i i l 11 I ! II IS) 1 i I \ 1 i i 4.4 

and NAT, respectively. Another column 1062 represents the action for the security ACL and drops corresponding mes- 

final or merged action to be implemented by the forwarding 55 sages. 

entity. Similarly, aplurality of rows 1070-1082 represent the Mapping Merged ACLs to TCAM 

possible combinations of conflicting actions from the ACL At this point, the ACL converter 424 has generated a 

features of columns 1052-1060. Conflict resolution tables single, unified, BDD-formatted ACL that merges all of the 

1000 and 1050 are preferably preconfigured by the network ACLs assigned to a particular interface. The next step is to 

administrator at the management station or by some other 60 map this single, unified ACLinto the selected storage device 

entity, and download I 1(. I U10 '1 , subsequent access by 

1050 to dynamic memory 409 upon initialization in a similar writes a cover (i.e., a two-level formula) for the function G, 

). Preferably, the cover is written in Sum-of -Products 
P) format, since this format is most easily translated into 
2AM. That is, each product or implicant from a SOP 



15 16 

n implemented at a row of the TCAM 410. and direction being processed (e.g., interface 402a). Each 

disjoint SOP cover can be computed directly row of the TCAM 410 preferably corresponds to a product 

igle, unified BDD, the result is often suboptimal, term of the SOP-formatted, unified ACL. For each product 

h reduce lb numbei I | ind 5 action in memory 411. 

iree the number of rows needed in the TCAM), More specificaUy, each row of the TCAM 410 corre- 

I ' (7DD) II V ' I l I 1 1 I 

producing covers, and then computes a cover (i.e., row) of the TCAM 410. Thus, when the ACL converter 

riich are also canonical, differ from BDDs in that, 410, it also writes the action that matches that product term, 

le is suppressed if its ''then" child is the and is to be implemented by the forwarding entity 404 (e.g., 

reas, for BDDs, a node is suppressed if its permit, deny, forward to CPU 406, etc.) into the space or 
' ication of memory 411 that corresponds to the respective 
iw of the TCAM 410. This process is then repeated for each 




of the fu 

irredundant SOP (ISOP). This may 
example, by applying the Monreale Theorem or "by uti 

well-known Karnaugh maps. Computation of the ISOP The optimizing, merging 

.el ! I III] ! I r I 

function interval, which is an incompletely specified procediiic of device 3 lei. oi in response la 

function, so as to obtain a more efficient coverage for use downloaded oi issi_iu II ,,u l( ' ( i n 

vvilh I I AM 410 file lunclion inlen aN may he produced h\ II slumkl k understood llial oilier solutions lor 

the multiple AC1.S assigned lo a e,ivon inter lace uilo i 
unified ACL may alternatively be employed. For t 
ssigned 3 ACLs (e. 




block 928. More specifically, the ACL converter n 
410a) of the TCAM 410 that corresponds to the ' 
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and log, and deny and log). Thus, a single ADD-formatted 
ACL may be used to represent an ACL having more than two 
different results. A suitable description of ADD manipula- 

, in BDD format that coin!- 5 HachteL E. Macii, A. Pardo, F. Somcazi Algebraic Decision 

erse the nodes of ACL 800 1 1 liption has been directed to specific 

i to reach one of the specified that other variations and modifications may be made to the 

traversed, the corresponding of their advantages. For example, rather than include a 

ermit or deny). Referring to separate memory 411 associated with the TCAM 410, the 

ik MKCiMjnl'lhc BDD 800 i> ACL converter mav write the o-ra^po tiding act ions into 

e thirty-first) bit of the IP DA dynamic memory 409. Upon locating a match, the TCAM 

e corresponding action. Those skilled in the art 
ic that other arrangements are also possible, 
is repeaieo oown tne all owi until one or the decisions 806, Therefore, it is the object of the appended claims to cover all 
808 is reached. If the value of a variable is -don't care'", then such variations and modifications as come within the true 
the node is not even present. spirit and scope of the invention. 

The evaluation of an ACL in BDD format essentially What is claimed is: 

takes a constant time regardless of the number of ACEs that 25 1. In an intermediate network device having a plurality of 
are present in the ACL. Accordingly, a software evaluation ports for forwarding messages between one or more network 
of ACLs in BDD format may be preferred for ACLs that entities across a computer network and a memory device, a 
have a large number of ACEs. For example, if an ACL has method for optimizing one or more Access Control Lists 
between 8 to 16 or more ACEs, it may be more efficient to (ACLs) comprising the steps of: 

evaluate the ACL in BDD format. 30 retrieving a first ACL having a plurality of Access Control 

Other ACL Formats Entry (ACE) statements; 

he arl wiU understand that the number of trans i atiD g each ACE statement of the first ACL into a 



Hinary Decision Diagram (BDD) formal; 



i i I U I in BDI i mi e > 

collapsing; several nodes into une or more supcrnodes thai ."" f 

use mull, -valued variable. More s P cc, Ilea I Iv, assuming (lie ^ l>nvess,nj. each t ,1 the I 

ACL tests IP SA (32 bits), IP DA (32 bits), Protocol (8 bits), ACX^aid * ""^ponding «° the first 

V( ■[ v m 4 ' | nil ill III) I \( L into a second 

single variable nodes u -ani- I ii ip iii - l I in- boolean represeolation and storing the ACL corre- 

to the second boolean representation at the 



■1! denhtied hv Ihc respective value or (2) 'ivlnrn" Ihc -t cxlracling a selected BDD-formatted ACE statement from 

ill mil II ! ll the ACL; and 
e liM cell of ihc l.ible Willi i he first scl of inpul variables. applying an If-Then-Else (ITE) operator 
the action specified hv Ihe first set of input variables is "go 



similar!; facililali soli p n , ihialion of the a content addressable memory (CAM). 

BDD may also be utilized. 5. The method of claim 4 wherein the second boolean 

In addition to representing ACLs in BDD format, the ACL 55 representation is a Sum of Products (SOP) representation, 

converter 424 ma; ilso represent ACLs as Algebraic Dcci (. Hie method 1 1 n 5 wherein plurality if ACLs an 

sion Diagrams (ADDs). I Id 13 sa schemaiic llnslraiion of assigned o a given nlcrface of the intermediate device and 

an ACL 1300 in ADD format. ADD-formatted ACL 1300 the intermediate device includes al least one conflict reso- 

includes a plurality of interconnected nodes 1302, each of lution table for resolving conflicts among actions specified 

which has its own ide itilvtn cl ( . aOl, all, al2, 63 bv the plurality »r At I s. the method further comprises the 

a21, . . . c42). The nodes 1302 of the ADD-formatted ACL step of merging each ACL assigned to the given interface, 

1P-DA[31] iniiliei (filial repi in ill ol th \CLs assigned to die 
startbl ' 

nr decision blocks 1306-1312 (e.g., permit, deny, per 
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8. The method of claim 7 wherein 

the ACLs are used to evaluate network messages received 

by the intermediate network device, and 
the ACEs specify one or more of Internet Protocol (IP) 

si 11, IP dcslinali ' , Ir 

Control Protocol/User Datagram Protocol (TCP/UDP) 
source port and TCP/UDP destination port. 

representation is a Sum of Products 
10. The method of claim 1 whereij 
assigned to a given interface of the 




n i 111 i vM til 

with the given interface. 
15. A computer readable medium co 



ig each ACE statement of the first ACL into a 
Binary Decision Diagram (BDD) format; 
processing each of the BDD-formatted ACE statements so 
as to generate a single BDD corresponding to lite first 
ACL; and 

Control Protocol/User Datagram Protocol (TCP/UDP) translating the single BDD-formatted ACL into a second 
source port and TCP/UDP destination port. boolean representation; and 

12. An Access Control List (ACL) converter for use at an storing the ACL 

, 1 i i i _ i 'I l i 

for forwarding messages between one or more netv 

storing one or more ACLs in a first' format, each of the one mg f urloer pr0 ^ ram instructions for: P 

or more ACLs having a plurality of Access Control Lnm extracting a selected HDD- formatted AC 'L statement from 

(ACE) statements, wherein a pluralit) i if ACLs are assigned the ACL; and 

to a given interface, the ACL converter comprising: applyiDg aD rf^,, . Else (ITE) operator t0 the extracted 

a I 1 r il \ L I | I 111 

one or more ACL in the first format, and to translate the ACL. 

ACE statements of the one or more ACL into a Binary 17 . Tne computer readable medium of claim 16 wherein 
Decision Diagram (BDD) formal; and (he function representing the first ACL is optimized with 

all 1 1 1 i I 1 1 it pelalivel I e I , e le > Isim^ 

the boolean liansloi illation engine and configured lo - : 
pri s ' I I l I I I ' I mi i, I M I I leille il, m li- 
as to generate a single BDD corresponding to the 

ACL, wherein 19. The computer readable medium of clain 

ire used to evaluate network messages rei 
ACL assigned to the given interf ace into a ~ by me intermediate network device, and 
ed ACL that represents all of the ACLs the ACEs specify one or 

st one conflict resolution lablc lor resolving 
actions specified by the plurality of ACLs 50 
iven interface, wherein 



